In April 2013, CNN introduced the world to Shodan, a search engine for internet-connected devices, by publishing an article titled, Shodan: the scariest search engine on the Internet. CNN described how Shodan was used to find vulnerabilities: “… control systems for a water park, gas station, hotel wine cellar and crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle accelerator cyclotron using Shodan.
The article stated that these devices had almost no security; the lack of security was due to two main reasons. First, most of these IoT devices were manufactured at low cost in an effort to remain competitive in the market. Second, internet connectivity and cybersecurity were absent from the initial design of these devices.
But the fear of Shodan and the dire state of IoT device security dates back to 2013 – since then, Shodan has been synonymous with internet searches for connected devices. Surely we’ve already learned a thing or two about cybersecurity and attack surface management. Right?
Nine years after the publication of this infamous article, Shodan is still tendency. It remained a popular search item on Google in 2021, and Cognyte’s research from the same year found it to be the subject of 75 news articles and over 4,000 posts on Dark hacking forums. Web, mainly related to malware and vulnerability scanning activities. While Shodan remains the most popular site of its kind, competitors such as BinaryEdge, Censys, and ZoomEye are making a name for themselves in the field. These search engines typically work by scanning the entire IP range for connected devices, allowing users to search for device information, including open ports, SSL certifications, vulnerabilities, and more.
These search engines are still mainly used to scan the internet for open devices and their vulnerabilities. This type of analysis is used by both security researchers and threat actors. And while there are still several devices that can be found, there are not as many as before; fewer sensitive devices can be found or accessed this way.
Security researcher using Shodan to find exposed AD controllers Source: https://twitter.com/lkarlslund/status/1511727317365800963
Another step towards securing the Internet is the implementation of SSL certificates, which have become almost mandatory for websites to work properly on browsers. According to the website Web Courtthere are approximately 176,000,000 SSL certificates on the internet today, representing an increase of approximately 10% since Last year. Although this is an encouraging statistic, the use of search engines such as Shodan has revealed that in most cases the IP address of many devices is still directly accessible. In fact, attackers have successfully circumvented the use of SSL in a number of different social engineering attacks.
Using Shodan to find vulnerabilities
An interesting trend over the past couple of years is the use of IoT search engines like Shodan in other aspects of cybersecurity research and attack surface management. These search engines are widely used by security researchers to detect databases that have been accidentally exposed to the Internet, allowing anyone to access and download their content, and then find vulnerabilities. Shodan can be used to detect and locate malware command and control servers, devices used by hackers to control malware. In several cases, security researchers have been able to detect these servers, disable them, or even take control of them, which can undermine the operations of attackers.
A query in Shodan used to detect malware command and control servers
Shodan and its ilk can be more than just creepy internet search engines. While these search engines can be used by bad actors to find anything from smart fridges to internet-connected ships, their power can also be put to good use. Security teams, SOCs, and CISOs can use these tools to better understand their organization’s exposure to the outside world. Such understanding can help focus teams’ responses to security events, guide them when working with other departments in the organization, and improve decisions about resource allocation.
These search engines can also help security researchers and law enforcement agencies (LEAs) in the fight against cyberattacks. Organizations can use Shodan and its competitors to map national risks, detect botnets and malware command and control servers, monitor difficult servers, detect data leaks before they become breaches and more .
When good guys use the same tools as threat actors to find their own vulnerabilities, they harm attackers at different stages of the attack: reconnaissance, collection, command and control, and exfiltration. This strategy can minimize the efficiency gap between attacker and defender and give organizations a chance to stop attacks in their tracks.